lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bd2d21fb90cbb4905afcb5d934c48e4ff23a3ed8.1746037489.git.sergii.dmytruk@3mdeb.com>
Date: Thu,  1 May 2025 01:44:46 +0300
From: Sergii Dmytruk <sergii.dmytruk@...eb.com>
To: linux-kernel@...r.kernel.org
Cc: trenchboot-devel@...glegroups.com
Subject: [RFC PATCH v2 4/9] x86: Split up Secure Launch setup and finalize functions

From: Ross Philipson <ross.philipson@...cle.com>

Split up the setup and findalize functions internally to determine
the type of launch and call the appropriate function (TXT or SKINIT
version).

Signed-off-by: Ross Philipson <ross.philipson@...cle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@...eb.com>
---
 arch/x86/include/asm/svm.h |  2 ++
 arch/x86/kernel/setup.c    |  2 +-
 arch/x86/kernel/slaunch.c  | 69 +++++++++++++++++++++++++++++++-------
 include/linux/slaunch.h    |  4 +--
 4 files changed, 62 insertions(+), 15 deletions(-)

diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index 9b7fa99ae951..da9536c5a137 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -584,6 +584,8 @@ static inline void __unused_size_checks(void)
 
 #define SVM_CPUID_FUNC 0x8000000a
 
+#define SVM_VM_CR_INIT_REDIRECTION 1
+
 #define SVM_SELECTOR_S_SHIFT 4
 #define SVM_SELECTOR_DPL_SHIFT 5
 #define SVM_SELECTOR_P_SHIFT 7
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index afb1b238202f..3bcf5a5fbac7 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -999,7 +999,7 @@ void __init setup_arch(char **cmdline_p)
 	early_gart_iommu_check();
 #endif
 
-	slaunch_setup_txt();
+	slaunch_setup();
 
 	/*
 	 * partially used pages are not usable - thus
diff --git a/arch/x86/kernel/slaunch.c b/arch/x86/kernel/slaunch.c
index b6ba4c526aa3..d81433a9b699 100644
--- a/arch/x86/kernel/slaunch.c
+++ b/arch/x86/kernel/slaunch.c
@@ -18,6 +18,7 @@
 #include <asm/tlbflush.h>
 #include <asm/e820/api.h>
 #include <asm/setup.h>
+#include <asm/svm.h>
 #include <asm/realmode.h>
 #include <linux/slr_table.h>
 #include <linux/slaunch.h>
@@ -437,21 +438,11 @@ void __init slaunch_fixup_jump_vector(void)
  * Intel TXT specific late stub setup and validation called from within
  * x86 specific setup_arch().
  */
-void __init slaunch_setup_txt(void)
+static void __init slaunch_setup_txt(void)
 {
 	u64 one = TXT_REGVALUE_ONE, val;
 	void __iomem *txt;
 
-	if (!boot_cpu_has(X86_FEATURE_SMX))
-		return;
-
-	/*
-	 * If booted through secure launch entry point, the loadflags
-	 * option will be set.
-	 */
-	if (!(boot_params.hdr.loadflags & SLAUNCH_FLAG))
-		return;
-
 	/*
 	 * See if SENTER was done by reading the status register in the
 	 * public space. If the public register space cannot be read, TXT may
@@ -523,6 +514,42 @@ void __init slaunch_setup_txt(void)
 	pr_info("Intel TXT setup complete\n");
 }
 
+/*
+ * AMD SKINIT specific late stub setup and validation called from within
+ * x86 specific setup_arch().
+ */
+static void __init slaunch_setup_skinit(void)
+{
+	u64 val;
+
+	/*
+	 * If the platform is performing a Secure Launch via SKINIT
+	 * INIT_REDIRECTION flag will be active.
+	 */
+	rdmsrl(MSR_VM_CR, val);
+	if (!(val & (1 << SVM_VM_CR_INIT_REDIRECTION)))
+		return;
+
+	/* Set flags on BSP so subsequent code knows it was a SKINIT launch */
+	sl_flags |= (SL_FLAG_ACTIVE|SL_FLAG_ARCH_SKINIT);
+	pr_info("AMD SKINIT setup complete\n");
+}
+
+void __init slaunch_setup(void)
+{
+	/*
+	 * If booted through secure launch entry point, the loadflags
+	 * option will be set.
+	 */
+	if (!(boot_params.hdr.loadflags & SLAUNCH_FLAG))
+		return;
+
+	if (boot_cpu_has(X86_FEATURE_SMX))
+		slaunch_setup_txt();
+	else if (boot_cpu_has(X86_FEATURE_SKINIT))
+		slaunch_setup_skinit();
+}
+
 static inline void smx_getsec_sexit(void)
 {
 	asm volatile ("getsec\n"
@@ -533,7 +560,7 @@ static inline void smx_getsec_sexit(void)
  * Used during kexec and on reboot paths to finalize the TXT state
  * and do an SEXIT exiting the DRTM and disabling SMX mode.
  */
-void slaunch_finalize(int do_sexit)
+static void slaunch_finalize_txt(int do_sexit)
 {
 	u64 one = TXT_REGVALUE_ONE, val;
 	void __iomem *config;
@@ -594,3 +621,21 @@ void slaunch_finalize(int do_sexit)
 
 	pr_info("TXT SEXIT complete.\n");
 }
+
+/*
+ * Used during kexec and on reboot paths to finalize the SKINIT.
+ */
+static void slaunch_finalize_skinit(void)
+{
+	/* AMD CPUs with PSP-supported DRTM */
+	if (!slaunch_is_skinit_psp())
+		return;
+}
+
+void slaunch_finalize(int do_sexit)
+{
+	if (boot_cpu_has(X86_FEATURE_SMX))
+		slaunch_finalize_txt(do_sexit);
+	else if (boot_cpu_has(X86_FEATURE_SKINIT))
+		slaunch_finalize_skinit();
+}
diff --git a/include/linux/slaunch.h b/include/linux/slaunch.h
index ec7e0d736a03..22e253960fdd 100644
--- a/include/linux/slaunch.h
+++ b/include/linux/slaunch.h
@@ -547,7 +547,7 @@ static inline int tpm2_log_event(struct txt_heap_event_log_pointer2_1_element *e
 /*
  * External functions available in mainline kernel.
  */
-void slaunch_setup_txt(void);
+void slaunch_setup(void);
 void slaunch_fixup_jump_vector(void);
 u32 slaunch_get_flags(void);
 struct sl_ap_wake_info *slaunch_get_ap_wake_info(void);
@@ -563,7 +563,7 @@ void slaunch_psp_finalize(void);
 
 #else
 
-static inline void slaunch_setup_txt(void)
+static inline void slaunch_setup(void)
 {
 }
 
-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ